Authentication of a user and his credentials is the first line of defense. User authentication involves confirming the identity of a user and validating that a user is trusted and can use a computer resource based on his credentials. Most people protect their online accounts using some form of passwords. On an average a typical user has about 20 accounts for which they need to remember passwords. Most users utilize the same password for most accounts just to make it easier to remember. This practice makes all accounts vulnerable and makes it easier for a hacker to break into all other accounts if one of the accounts is compromised.
ID's can be lost or stolen during transactions (whether its login, payment, or other transactions), and ID's must be presented in many places explicitly. For example, in the process of electronic payment, one's credit card details must be presented to a counter party. Although an ID in a transaction may be encrypted, there are still many possibilities that an ID can be lost or stolen.
Static or fixed password is a common form of authentication method in use today.
In the static password authentication method, the user enters static user id and password on a client site and submits. Then the request is sent to the authentication server to validate the credentials of the user. If the credentials are valid the user is traversed to the next page.
With static password, keeping the accounts secure and hack proof is a difficult task. To keep his accounts from being compromised, the user must select long, difficult to predict passwords. Most users use some of their personal information to create their password thus making it easier to remember. In addition, users have a tendency to use the same password for most of their accounts as remembering multiple passwords can be quite a challenge.
Protecting documents is several orders of magnitude more difficult due to (a) the much larger number of objects to be protected, (b) the difficulty of applying multi-factor authentication, and (c) the need to distribute the passwords among multiple recipients of the document(s).
An object of the present invention is to provide an authentication system, authentication method, and key distribution method which permit improvement in the security of the document storage and distribution process while making it easier to use than existing methods. The invention utilizes bi-directional, asynchronous, out-of-band authentication.
One embodiment according to the invention is based on a multi-dimensional QR Code which provides a vehicle for strong authentication, ease of use, minimal switching cost and lower total cost of ownership.
In addition, or in the alternative, an embodiment uses Bluetooth in place of the QR Code.
In addition, or in the alternative, an embodiment uses NFC in place of the QR Code.
In addition, or in the alternative, an embodiment uses computer generated sound in place of the QR Code.
By utilizing the multi-dimension bar code, NFC, Bluetooth, or Audio, the invention, as described herein, improves usability and eliminates key security issues.
The method, according to the invention, uses shared keys protected with each recipient's private key (e.g from a public/private key pair) distributed via a central point to a key store on a personal device, such as a smartphone. The device communicates with various document rendering and manipulation tools via the aforementioned QR code, Bluetooth, NFC, or Audio, and out-of-band communications to decrypt the document(s) on demand. A document may be protected with multiple keys to permit different recipients to view different subsets of the document. This method also provides for partial or total document invalidation or redaction after delivery.